Adobe's patch for a remote code execution (RCE) bug in Acrobat this week doesn't mention that the vulnerability is considered a zero-day nor that a proof-of-concept (PoC) exploit exists, a researcher warns.

As part of Adobe's Patch Tuesday, the creative software slinger fixed CVE-2024-41869 - a vulnerability originally reported in June by researcher Haifei Li, founder of zero-day and exploit-detection platform Expmon.

Li's warning comes as the vulnerability was only assigned a 7.8-out-of-10 CVSS base score, which doesn't carry the same weight as a critical severity rating. Considering there's a PoC exploit out in the wild, altogether it means sysadmins may not give the vulnerability the level of prioritization it may deserve.

To Adobe's credit, the vendor does say the use-after-free vulnerability carries a "critical" severity rating, despite its CVSS score suggesting the severity is "high" - one rung down from critical.

Expmon originally expected a patch to be released sooner given the June report date, and its account of the process suggests that was the plan all along, but the first fix didn't quite do the job.

"I can confirm our Acrobat product team has identified a secondary fix that is required to fully address this issue," Adobe told Expmon in August. "We are actively reviewing and working to prioritize the fix in an upcoming patch. I will be sure to follow up with you once we have a clear release time frame."

Expmon said it will be sharing the sample PDF it was given that contained the PoC exploit "within the next few days," so patching quickly will be doubly important once the exploit blueprint is out there for all to peruse.

The PDF file doesn't contain a full exploit as it stands, Expmon said when it announced the discovery in June. There was no malicious payload found in the sample, but the groundwork was laid for a very possible RCE attack. As it stands it just leads to a crash of the Acrobat Reader app.

Once the sample is released, however, it likely won't be long before that groundwork is utilized by some baddies.

It's unclear why Adobe never mentioned the existence of a PoC or that researchers deemed it a zero-day vulnerability. We got in touch with the vendor for answers and will update the story if it responds.

Given the CVSS score wasn't in the critical range, defenders usually appreciate additional information such as whether working exploits are known to the vendor, so their patching process can be better informed.

More details about the issue will be disseminated in the upcoming blog co-authored by Expmon and Check Point Research. ®

https://www.theregister.com//2024/09/12/adobe_acrobat_0day/